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Introduction 


The Information Commissioner (the Commissioner) is calling for evidence 
and views on the Age Appropriate Design Code (the Code). 


The Code is a requirement of the Data Protection Act 2018 (the Act). The 
Act supports and supplements the implementation of the EU General Data 
Protection Regulation (the GDPR). 


The Code will provide guidance on the design standards that the 
Commissioner will expect providers of online ‘Information Society 
Services’ (ISS), which process personal data and are likely to be accessed 
by children, to meet. Once it has been published, the Commissioner will 
be required to take account of any provisions of the Code she considers to 
be relevant when exercising her regulatory functions. The courts and 
tribunals will also be required to take account of any provisions they 
consider to be relevant in proceedings brought before them. The Code 
may be submitted as evidence in court proceedings. 


Further guidance on how the GDPR applies to children’s personal data can 
be found in our guidance Children and the GDPR. It will be useful to read 
this before responding to the call for evidence, to understand what is 
already required by the GDPR and what the ICO currently recommends as 
best practice. In drafting the Code the ICO may consider suggestions that 
reinforce the specific requirements of the GDPR, or its overarching 
requirement that children merit special protection, but will disregard any 
suggestions that fall below this standard. 


The Commissioner will be responsible for drafting the Code. The Act 
provides that the Commissioner must consult with relevant stakeholders 
when preparing the Code, and submit it to the Secretary of State for 
Parliamentary approval within 18 months of 25 May 2018. She will publish 
the Code once it has been approved by Parliament. 


This call for evidence is the first stage of the consultation process. The 
Commissioner seeks evidence and views on the development stages of 
childhood and age-appropriate design standards for ISS. The 
Commissioner is particularly interested in evidence based submissions 
provided by: bodies representing the views of children or parents; child 
development experts; providers of online services likely to be accessed by 
children, and trade associations representing such providers. She 
appreciates that different stakeholders will have different and particular 
areas of expertise. The Commissioner welcomes responses that are 
limited to specific areas of interest or expertise and only address 
questions within these areas, as well as those that address every question 
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asked. She is not seeking submissions from individual children or parents 
in this call for evidence as she intends to engage with these stakeholder 
groups via other dedicated and specifically tailored means. 


The Commissioner will use the evidence gathered to inform further work 
in developing the content of the Code. 


The scope of the Code 


The Act affords the Commissioner discretion to set such standards of age 
appropriate design as she considers to be desirable, having 

regard to the best interests of children, and to provide such guidance as 
she considers appropriate. 


In exercising this discretion the Act requires the Commissioner to have 
regard to the fact that children have different needs at different ages, and 
to the United Kingdom’s obligations under the United Nations Convention 
on the Rights of the Child. 


During Parliamentary debate the Government committed to supporting 
the Commissioner in her development of the Code by providing her with a 
list of ‘minimum standards to be taken into account when designing it.’ 
The Commissioner will have regard to this list both in this call for 
evidence, and when exercising her discretion to develop such standards 
as she considers to be desirable. 


In developing the Code the Commissioner will also take into account that 
the scope and purpose of the Act, and her role in this respect, is limited to 
making provision for the processing of personal data. 


Responses to this call for evidence must be submitted by 19 September 
2018. You can submit your response in one of the following ways: 


Online 


Download this document and email to: 


childrenandtheGDPR@ICO.org.uk 


Print off this document and post to: 

Age Appropriate Design Code call for evidence 
Engagement Department 

Information Commissioner’s Office 

Wycliffe House 

Water Lane 

Wilmslow 
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Cheshire SK9 5AF 


If you would like further information on the call for evidence please 
telephone 0303 123 1113 and ask to speak to the Engagement 
Department about the Age Appropriate Design Code or email 


childrenandtheGDPR@ICO.org.uk 


Privacy statement 

For this call for evidence we will publish responses received from 
organisations but will remove any personal data before publication. We 
will not publish responses from individuals. For more information about 
what we do with personal data please see our privacy notice. 
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Section 1: Your views and evidence 


Please provide us with your views and evidence in the following areas: 


Development needs of children at different ages 


The Act requires the Commissioner to take account of the development 
needs of children at different ages when drafting the Code. 


The Commissioner proposes to use their age ranges set out in the report 
Digital Childhood - addressing childhood development milestones in the 
Digital Environment as a starting point in this respect. This report draws 
upon a number of sources including findings of the United Kingdom 
Council for Child Internet Safety (UKCCIS) Evidence Group in its literature 
review of Children’s online activities risks and safety. 


The proposed age ranges are as follows: 


3-5 
6-9 
10-12 
13-15 
16-17 


Q1. In terms of setting design standards for the processing of children’s 
personal data by providers of ISS (online services), how appropriate you 
consider the above age brackets would be (delete as appropriate): 


Not at all appropriate 
Not really appropriate 
Quite appropriate 
Very appropriate 


Q1A. Please provide any views or evidence on how appropriate you 
consider the above age brackets would be in setting design standards for 
the processing of children’s personal data by providers of ISS (online 
services), 


N/A 
Q2. Please provide any views or evidence you have on children’s 
development needs, in an online context in each or any of the above age 


brackets. 
N/A 
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The United Nations Convention on the Rights of the Child 


The Data Protection Act 2018 requires the Commissioner to take account 
of the UK’s obligations under the UN Convention on the Rights of the Child 
when drafting the Code. 


Q3. Please provide any views or evidence you have on how the 
Convention might apply in the context of setting design standards for the 
processing of children’s personal data by providers of ISS (online 
services) 


N/a 


Aspects of design 


The Government has provided the Commissioner with a list of areas which 
it proposes she should take into account when drafting the Code. 


These are as follows: 
e default privacy settings, 
e data minimisation standards, 
e« the presentation and language of terms and conditions and privacy 
notices, 
e uses of geolocation technology, 
e automated and semi-automated profiling, 
e transparency of paid-for activity such as product placement and 
marketing, 
the sharing and resale of data, 
the strategies used to encourage extended user engagement, 
user reporting and resolution processes and systems, 
the ability to understand and activate a child’s right to erasure, 
rectification and restriction, 
e the ability to access advice from independent, specialist advocates 
on all data rights, and 
e any other aspect of design that the commissioner considers 
relevant. 


Q4. Please provide any views or evidence you think the Commissioner 
should take into account when explaining the meaning and coverage of 
these terms in the code. 


Q5. Please provide any views or evidence you have on the following: 
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Q5A. about the opportunities and challenges you think might arise in 
setting design standards for the processing of children’s personal data by 
providers of ISS (online services), in each or any of the above areas. 


The young people were sometimes unaware of the need to be a certain 
age to use particular apps/websites and admitted that when they were 
aware of the age limits for certain websites/apps they would ignore this 
and use them without the knowledge of parents/guardians. Thought 
needs to be given as to how organisations can monitor compliance with 
and enforce these rules. 


Q5B. about how the ICO, working with relevant stakeholders, might use 
the opportunities presented and positively address any challenges you 
have identified. 


Ensure any marketing of websites/apps is age appropriate. 


Better educate young people about why age limits exist and the potential 
ramifications/pitfalls of uploading personal information. 


Q5C. about what design standards might be appropriate (ie where the bar 
should be set) in each or any of the above areas and for each or any of 
the proposed age brackets. 


All of the responses relate to young people aged 16-17: 


e default privacy settings 


The young people did not like having to proactively ‘turn off’ access to 
personal data. They preferred to be given a choice to allow more access 
to information if they wanted to. They also did not like apps changing 
privacy settings through updates without informing them or hiding the 
changes with other information. 


o data minimisation standards, 
The young people did not like websites/apps that asked for bank details 


whilst indicating the service was free (for example for a 3 month free 
trial) and felt details should only be asked for after the trial had expired. 
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The young people all felt that too much data was collected by social 
media companies without any real need for the data. For example the 
young people reported that snapchat requires location data to be switched 
on to enable you to use filters, the young people did not understand the 
reason for this and did not like this. 


The young people reported using apps/websites even though they were 
uncomfortable with the level of personal information that was being 
collected because family/friends used the app/website and therefore they 
felt they had no real choice but to allow the use of their data. 


Permission to use location was often requested without an easy to 
understand explanation of why that information was being collected. 


° the presentation and language of terms and conditions and privacy 
notices, 


The young people wanted Privacy Notices designed specifically for 
children/young people, that fit on 1 page, are simple and got to the point 
with yes/no options wherever possible. They liked the idea of layered 
notices so more in depth information could be found if required. 


Enable you to zoom in on privacy notices so they can be read with ease 
on a mobile phone screen. The young people reported that this was not 
always possible. 


The young people felt it would be a lot easier to understand how to 
manage privacy settings if social media companies all used the same 
language, types of settings and displayed the information in the same 
way so that you didn't have to work out how to change the settings for 
each different app/website. 


The young people wanted simple Yes or No Questions when they are 
being asked to consent to use, language that is easy to understand and in 
plain English. They also wanted the information to be kept separate (eg 
from other T & Cs) 


The young people thought a video may be a good way of communicating 
the information. 


e uses of geolocation technology, 
The young people were concerned that location often ‘turns back on’ 


when updates are installed and that sometimes they couldn’t turn it off or 
it kept switching back on. 
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The young people wanted to allow access to some information from their 
devices eg photographs, whilst denying access to other information eg 
location. 


One particular concern was that when location is turned off in snapchat 
the user’s last known location is still shown on the ‘snapmap’. This often 
showed a user’s home address or somewhere they often visited and there 
was no known way to remove this unless they turned location on again 
somewhere else. 


They young people were concerned that people who add you as a contact 
but you have not responded to their request can see you on snap map 
unless you are in ‘ghost mode’. This is not obvious and many young 
people did not realise this was happening. 


° transparency of paid-for activity such as product placement and 
marketing, 


Many of the young people had completed ‘surveys’ online, many on social 
media sites without appreciating what the information was being used for 
or what potentially it could be used for. Sometimes this would be paid. 


One was asked a question about whether Teresa May should still be prime 
minister and didn’t believe she had given away anything about herself by 
answering the question. Other young people reported always deleting the 
surveys because they were worried about them. 


This is an area that should be referred to specifically in the code. 
° the sharing and resale of data, 


The young people were concerned that information was shared by 
organisations without them realising it would be, for example google 
images showed their social media profile pictures even though they had 
set their accounts to private. The young people had an understanding that 
once they had uploaded something it was likely to always be on the 
internet somewhere. 


° the strategies used to encourage extended user engagement, 


The young people did not like features that could lead to others knowing 
when they had viewed their social media accounts. For example the use 
of a ‘snapchat score’, which goes up when you use the app, meant that 
friends would often query why they hadn't responded to a particular 
message. Their friends knew they had used the app because their 
snapchat score had ‘gone up’. An option to turn this on/off was desired. 
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the ability to understand and activate a child’s right to erasure, 


rectification and restriction, 


Organisations should make it clear you don’t have to pay to 
delete/remove personal data as some young people were unclear about 


this. 


Q5D. examples of ISS design you consider to be good practice. 


The young people wanted to be alerted if someone tags them in a 
photo so they can ‘approve’ or ‘reject’ the tag. Not all apps offer 
this feature. When alerting the individual, the apps should also 
make it clear who will be able to see the photo, eg whether the 
person who has tagged you has set their account to private or 
whether it would be available to view by all. The young people were 
concerned that when someone tagged you and they had not set 
their account to private everyone could see the photos. They 
believed this also led to the images being able to be located ina 
google search. 

Default to the ‘more private’ privacy settings so you have to change 
the settings to allow access/share more information. Do not change 
privacy settings or introduce new features which affect privacy 
hidden with updates. 

Maximise choice wherever possible 

Include somewhere a list of any contacts that you have deleted so 
that you don’t have to block people to see that they definitely have 
been removed from your contacts. 

Make it easy to change your mind later on if you want to 

Guidance for users about uploading other people’s information eg 
asking them how they feel about it and not just assuming they are 
happy for it to be uploaded, guidance to parents/carers to think 
about what they upload about the young people/children. 


Q5E. about any additional areas, not included in the list above that you 
think should be the subject of a design standard. 


The young people were particularly concerned with the personal data 
others had shared about them online. They wanted to be more in control 
of this. 
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Q6. If you would be interested in contributing to future solutions focussed 
work in developing the content of the code please provide the following 
information. The Commissioner is particularly interested in hearing from 
bodies representing the views of children or parents, child development 
experts and trade associations representing providers of online services 
likely to be accessed by children, in this respect. 


Name 


Email 
Brief summary of what you think you could offer 
Further views and evidence 


Q7. Please provide any other views or evidence you have that you 
consider to be relevant to this call for evidence. 


The young people wanted organisations to improve on the 
following: 


Allow me to use the app/website without collecting more personal data 
than I want to give. 

Always enable you to turn off location data (don’t have it automatically 
switched on or switch it on when updates are downloaded). 

Option sent to you when you’re tagged in a photo to see whether you do 
want to be tagged or not. 

Let me use the Apps without collecting unnecessary personal data 
Always allow choice/option to deny access 

Give choice for different types of personal data eg yes to accessing photos 
no to accessing location rather than lumping everything together 

Make it easy to change your mind later on if you want to 

Make it easy to change settings 


The young people particularly wanted to be provided 
with guidance about the following: 

What happens if I delete my account and set up a new one - 
does this delete all of the information from my last account? 
How do you turn off your location - it never seems to work? 
Where is my Data Stored? 

When I delete my photos from social media, why do they still 
appear in google images and how can I delete them from 
everywhere? 

Why do images appear in google images even though my 
profile is set to private? 
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When is it allowed for others to access my data? 
What are my rights when it comes to my data? 
When can I actually say no to my data being held? 
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Section 2: About you 


Are you: 


A body representing the views or interests of children? 
Please specify: 

Heritage and Culture Warwickshire, part of Warwickshire 
County Council conducted a session with young people 
from Warwickshire who are in foster care or who had 
recently left foster care, to ascertain their understanding 
of online privacy issues. The session was funded by Arts 
Connect to provide guidance to the Heritage Sector about 
the use of young people’s data in future digital projects. 


A body representing the views or interests of parents? 
Please specify: 


A child development expert? 
Please specify: 


A provider of ISS likely to be accessed by children? 
Please specify: 


A trade association representing ISS providers? 
Please specify: 


An ICO employee? 
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Other? 
Please specify: 


Thank you for responding to this call for evidence. 
We value your input. 
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